Privacy Policy

This Privacy Policy (the "Policy") describes how DriveSwap ("DriveSwap," "we," "us," "our") collects, uses, discloses, retains, and protects information about you when you visit driveswap.app, sign in with a Google account, initiate a transfer, or otherwise interact with our website, APIs, OAuth integrations, or related features (collectively, the "Service"). This Policy is incorporated by reference into our Terms of Service. By accessing or using the Service you accept this Policy. If you do not accept this Policy, do not use the Service.

This Policy may be supplemented by additional notices we provide at the point of collection or in connection with specific features. Where there is a conflict, the supplemental notice controls for the activity it covers.

Notice at Collection.This Policy serves as DriveSwap's "notice at collection" under California Civil Code § 1798.100(b) and equivalent provisions of the Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and Florida privacy statutes. A link to this Policy is presented at OAuth sign-in and at checkout, before any Personal Information is collected.

• Personal Information / Personal Data: information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• Sensitive Personal Information: a sub-category that includes precise geolocation, government-issued identifiers, account log-in credentials, contents of mail/email/text not directed to us, and similar categories defined under California, Virginia, Connecticut, Colorado, and other state laws.
• Source Account / Destination Account: the two Google accounts between which the Service copies files at your direction.
• Sub-processor: a third-party service we engage to help operate the Service (listed in Section 13).
• Data Subject: the natural person to whom Personal Data relates.

DriveSwap is a software utility that copies files from a Source Account to a Destination Account on Google Drive using Google's public APIs, at your express direction. It acts as a passthrough: file contents transit our infrastructure only as required to complete API operations and are never written to persistent storage. We do not host, mirror, archive, or curate user content.

4.1 Information you provide directly

• Google account email addresses for the Source and Destination Accounts.
• Payment metadata from Stripe checkouts: name and billing email, transaction amount, currency, country, payment-method type, and timestamp. Card numbers are never seen, transmitted, or stored by DriveSwap; they are handled by Stripe.
• Institutional purchase information: organization name, administrative contact email, optional email-domain to allowlist, and number of seats purchased.
• Custom organization instructions (Pro only): free-text you optionally provide to instruct AI-based file sorting.
• Institutional content-policy text: keywords or natural-language policy descriptions you optionally configure if you administer an institutional license.
• Communications: emails or chat messages you send us, including via support, abuse reports, DMCA notices, or sales inquiries.

4.2 Information from your authenticated Google accounts (OAuth)

• OAuth access and refresh tokens for Source and Destination Accounts. These are short-lived credentials issued by Google.
• Drive file metadata: file ID, name, MIME type, size, modified time, owner display name, and owner email (the latter only for files shared with you).
• File contents (transient only): passed through our infrastructure during transfer between Google's servers, never written to persistent storage by DriveSwap.
• Limited file text excerpts: for Google Docs / Sheets / Slides only, when you (a) provide custom organization instructions, or (b) belong to an institution that has enabled content-based restrictions. Excerpts are processed in memory and discarded after categorization.

4.3 Information collected automatically

• Session and authentication cookies: NextAuth session, OAuth state, CSRF tokens.
• Error and performance telemetry via Sentry: IP address, browser version, operating system, page URL, stack traces, and request metadata for failed requests.
• Aggregate usage counters: number of transfers per day, number of paid signups per day, total file-count over time. These are stored as integer counters without personal identifiers.
• Server logs: the cloud host (Vercel) maintains short-term logs of HTTP requests for security and performance diagnostics.

4.4 Information from third parties

• Google: profile name and email when you sign in via OAuth, plus the data described in 4.2.
• Stripe: webhook events confirming payment and refund status.

For California residents, the following categories of Personal Information have been collected within the last twelve (12) months:

• Identifiers: email address, name, IP address.
• Customer records: payment metadata.
• Commercial information: product purchased, subscription status, transaction history.
• Internet or other electronic activity: pages viewed, browser version, OS, error logs.
• Inferences: AI-derived sub-folder labels for organization (Pro feature only).

We have notcollected the categories "biometric information," "geolocation (precise)," "sensory data," or "professional or employment information." We do not knowingly collect "information of minors under 16" for sale or sharing.

Sensitive Personal Information. The only category of Sensitive Personal Information we collect is account log-in credentials, in the form of OAuth access and refresh tokens issued by Google. These tokens are short-lived credentials used solely to perform the file-transfer operations you direct, and are deleted automatically when your session ends or when you revoke access at myaccount.google.com/permissions. We do notuse Sensitive Personal Information to infer characteristics about you, and the CPRA "right to limit" therefore does not apply — but we honor any limitation request as if it did.

We do not collect any other category of Sensitive Personal Information defined under California, Virginia, Connecticut, Colorado, or other state law (no precise geolocation, no government-issued identifiers, no contents of mail/email/text not directed to us, no biometric or genetic data, no race or ethnicity, no religious beliefs, no sexual orientation, no health data, no union membership).

We use Personal Information for the following purposes:

• Service delivery: to authenticate you, perform transfers, organize files, send transactional notifications.
• Payment processing: to grant or revoke Pro/Institutional access via Stripe.
• Security and fraud prevention: to detect, investigate, and prevent abuse, fraud, and unauthorized access; to enforce rate limits; and to comply with security obligations.
• Customer support: to respond to your inquiries, resolve issues, and improve service quality.
• Product improvement and analytics: to understand aggregate usage patterns, diagnose errors, and improve features.
• Transactional communications: emails directly tied to your use of the Service (transfer completion, payment receipts, security alerts, expiry reminders for active subscriptions). These cannot be turned off without ceasing use of the Service or revoking OAuth access.
• Commercial lifecycle communications: win-back emails, abandoned-scan nudges, and post-transfer review requests. These are commercial messages under the CAN-SPAM Act (15 U.S.C. § 7702(2)) and contain a one-click unsubscribe link and DriveSwap's physical mailing address. You may opt out of all commercial messages at any time without affecting your access to the Service.
• Institutional policy enforcement: when an institution has configured content-based restrictions for its email domain.
• Legal compliance: to comply with applicable laws, lawful requests, and to enforce our Terms.
• Corporate transactions: in the context of a merger, acquisition, financing, or sale of assets, with reasonable notice and equivalent privacy protections.

We do not sell Personal Information for monetary consideration, share Personal Information for cross-context behavioral advertising, or use Personal Information to train any artificial-intelligence model.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)): to provide the Service you purchased or signed up for.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud, send service-related communications, and conduct aggregate analytics. We balance these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and legal-process obligations.
• Consent (Art. 6(1)(a)): where we obtain your consent (e.g., for cookies that are not strictly necessary, where required by your jurisdiction). You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Vital interests (Art. 6(1)(d)): in rare emergencies (e.g., responding to a credible imminent-harm scenario).

DriveSwap's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including its "Limited Use" requirements. Specifically, Google user data accessed through DriveSwap is:

• used only to provide or improve the file-transfer functionality you initiated;
• never sold;
• never used or transferred for serving advertisements, including retargeting, personalized, or interest-based advertising;
• never used to develop, train, or improve any generalized or third-party artificial-intelligence model;
• not transferred to any human except (i) at your direction, (ii) for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) as part of a merger, acquisition, or sale of assets with appropriate notice.

When you opt into AI-assisted file organization, file names and MIME types — and, for Google Docs / Sheets / Slides, brief text excerpts — are sent to Anthropic's Claude API to generate sub-folder labels. When an institution enables content-based restrictions, file names and brief text excerpts may also be sent to Claude for policy classification. Anthropic's use of this information is governed by its Commercial Terms and Privacy Policy; under those terms, Anthropic does not use API data to train its models.

No solely-automated decisions with legal or similarly significant effect. The Service does not use solely automated decision-making (including profiling) to make decisions producing legal or similarly significant effects on you. AI-assigned sub-folder labels are an organizational convenience and do not constrain your access, pricing, or any legal right.

Profiling opt-out. Although no qualifying profiling occurs, we automatically honor universal opt-out signals — including the Global Privacy Control (GPC) and any successor mechanism recognized under Colorado 4 CCR 904-3 Rule 5 — as a request to opt out of profiling, sale, and sharing.

• Destination Account: https://www.googleapis.com/auth/drive.file — permits creation of, and access to, only files DriveSwap creates. We cannot read pre-existing files in your Destination Account.
• Source Account: https://www.googleapis.com/auth/drive.readonly — read-only access to files in the Source Account. DriveSwap cannot delete, rename, move, or modify Source files.
• Both: openid, email, profile — to identify the signed-in user.

You may revoke any of these permissions at any time at myaccount.google.com/permissions.

We use the following categories of storage and tracking technologies. None are used for cross-site advertising or behavioral profiling.

• Strictly necessary cookies: NextAuth session cookies, OAuth state cookies, source-account cookies, CSRF cookies. Required for the Service to function; cannot be disabled.
• Performance cookies: anonymous diagnostic data attached to error reports.
• Browser localStorage: transfer state (file lists, progress, selected categories, retry queue, recent transfer history, parent folder ID). Lives only on your device. You can clear it at any time via your browser settings.
• Crisp chat widget (when present): may set cookies to maintain chat history. For visitors detected as accessing the Service from the EU, EEA, or UK, the widget is loaded in consent-mode and no non-essential cookies are dropped until you opt in by opening the chat. Crisp's use is governed by its own Privacy Policy.

DriveSwap does not sell Personal Information for monetary consideration. DriveSwap does not share Personal Information for cross-context behavioral advertising. DriveSwap does not engage in "targeted advertising" as defined under Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, or any other state law. We have not done so in the preceding twelve (12) months and have no plans to do so.

We share Personal Information with the following Sub-processors strictly to operate the Service. Each is bound by its own terms, privacy policy, and (where applicable) data-processing agreement.

• Google LLC — Drive API, OAuth, identity. Region: global. Purpose: authentication and file API operations.
• Vercel Inc. — application hosting, edge compute, request logs. Region: primarily United States. Purpose: serving the Service.
• Upstash Inc. — Redis storage. Region: primarily United States. Purpose: storing Pro entitlements, promo codes, deduplication keys, and aggregate counters.
• Stripe, Inc. — payment processing. Region: United States. Purpose: charging your card, issuing refunds, fraud screening.
• Resend, Inc. — transactional email delivery. Region: United States. Purpose: sending Service-related email.
• Anthropic PBC — Claude API. Region: United States. Purpose: AI-based file categorization and content scanning.
• Functional Software, Inc. (Sentry) — error and performance monitoring. Region: United States. Purpose: diagnostics.
• Crisp IM SAS — live chat widget. Region: European Union. Purpose: support chat (when enabled on a page where you interact with it).

We may also disclose Personal Information: (a) when required by law, subpoena, court order, or other legally compelled process; (b) to enforce our Terms or this Policy; (c) to protect our rights, property, or safety, or the rights, property, or safety of any third party; (d) in connection with an investigation of suspected fraud, security incident, or violation of policy; (e) to a successor entity in a merger, acquisition, financing, or sale of assets.

We may engage additional Sub-processors over time. Material changes will be reflected in this Policy. Institutional customers may request a current Sub-processor list.

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions where our Sub-processors operate. Privacy laws in those jurisdictions may differ from those in your country. By using the Service you consent to such transfers.

For transfers from the EEA, the United Kingdom, or Switzerland to the United States, we rely (where applicable) on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent safeguards. Where a Sub-processor is certified under the EU-U.S. Data Privacy Framework, the UK Extension, and/or the Swiss-U.S. Data Privacy Framework, we may also rely on those frameworks.

One Sub-processor (Crisp IM SAS) is established in the European Union, so support-chat content you send may be processed in the EU. Transfers from the United States to the EU rely on the data importer's adherence to the GDPR.

We retain Personal Information only as long as necessary for the purposes described in this Policy, except where a longer retention period is required by law.

• OAuth access tokens: retained only for the active session (session cookies expire automatically).
• OAuth refresh tokens: retained until you revoke access at Google or your session ends, whichever is first.
• Pro / Institutional entitlement records: retained for thirty (30) days after expiry, then deleted.
• Aggregate usage counters: retained indefinitely without personal identifiers.
• Payment records: retained as required by tax and accounting law (typically seven (7) years), held by Stripe.
• Email-suppression and event-deduplication keys: 7–365 days.
• Pending review-request keys: up to 7 days.
• Scan-tracking keys (for abandoned-transfer nudges): up to 48 hours.
• Sentry error events: 30 days by default.
• Vercel access logs: per Vercel's standard retention.
• Browser localStorage: lives only on your device until you start a new transfer or clear browser data.
• File contents: never persisted by DriveSwap.

When the retention period for a category ends, we delete or anonymize the information unless legal hold or pending dispute requires otherwise.

Mapping to Section 5 categories. For California-resident requests, Section 5 categories map to the retention periods above as follows:

• Identifiers (email, name, IP): retained for the life of your account, plus thirty (30) days after Pro/Institutional expiry; IP addresses in Sentry: 30 days.
• Customer records (payment metadata): seven (7) years, held by Stripe.
• Commercial information (purchases, subscription status): thirty (30) days after expiry.
• Internet or other electronic activity: 30 days (Sentry) or per Vercel standard retention (access logs).
• Inferences (AI sub-folder labels): not persisted by DriveSwap; stored only in your Destination Account.
• Sensitive Personal Information (OAuth tokens): only for the active session.

We implement industry-standard administrative, technical, and physical safeguards intended to protect Personal Information from unauthorized access, disclosure, alteration, and destruction. These include TLS for data in transit, OAuth-based authentication, HTTP-only and secure cookies, least-privilege OAuth scopes, scoped API keys, principle-of-least-privilege internal access, encrypted storage at the Sub-processor layer, and ongoing monitoring via Sentry.

No system is completely secure. By using the Service you acknowledge there is residual risk. In the event we become aware of a security incident affecting your Personal Information that triggers a legal notification obligation, we will notify the appropriate supervisory authority and (where required) affected Data Subjects within the timeframe required by law.

Subject to verification and applicable law, you may have the following rights regarding your Personal Information:

• Right to know / access: confirmation of whether we process Personal Information about you and a copy of that information.
• Right to correct / rectify: correction of inaccurate or incomplete information.
• Right to delete / erasure: deletion of Personal Information, subject to legal exceptions.
• Right to data portability: receipt of your Personal Information in a structured, commonly used, machine-readable format.
• Right to restrict or object: restriction of, or objection to, certain processing (including direct marketing — though our communications are transactional, not marketing).
• Right to withdraw consent: where processing relies on consent, you may withdraw at any time without affecting prior processing.
• Right to opt out: of sale, sharing, or targeted advertising — although we do not engage in any of these.
• Right to limit use of Sensitive Personal Information: under the CPRA — although we do not use SPI for inference.
• Right against discrimination: we will not discriminate against you for exercising any of these rights.
• Right to lodge a complaint: with the supervisory authority in your jurisdiction.
• Right to appeal: if we deny a request, residents of certain U.S. states (e.g., Virginia, Colorado, Connecticut) may appeal our decision; instructions will be provided in our denial response.

Email privacy@driveswap.appwith the subject line "Privacy Request" describing the right you wish to exercise and the email address(es) on file. We will:

• acknowledge receipt within ten (10) business days, as required by 11 CCR § 7021;
• verify your identity using information already in our possession (typically by responding from the email address associated with your account);
• respond within forty-five (45) days for U.S. requests (extendable by an additional 45 days where reasonably necessary, with notice) and within thirty (30) days for GDPR/UK GDPR requests (extendable by 60 days for complex requests);
• provide our response in a portable, electronic format wherever practicable.

Authorized agents.You may use an authorized agent to submit a request on your behalf. The agent must provide (a) a written, signed permission demonstrating your authorization, and (b) sufficient information for us to verify the agent's identity. We may also contact you directly to confirm the request. Authorized agents acting under California law must comply with Cal. Civ. Code § 1798.140(d) and 11 CCR § 7063, including registration with the California Secretary of State where required. We may deny a request from an agent who does not provide proof of authority or who refuses verification.

Submission methods. Email is the primary intake channel for privacy requests, which is permissible under 11 CCR § 7020(c) for businesses operating exclusively online. We are evaluating an interactive request webform; until it launches, please use email.

You may also revoke OAuth access at any time at myaccount.google.com/permissions.

California (CCPA/CPRA). The Section 5 categories of Personal Information have been collected in the past 12 months. We do not sell or share Personal Information. We have not, in the prior 12 months, disclosed Personal Information for a business purpose other than as described in Section 13. To exercise your CCPA/CPRA rights, see Section 18. California residents under 16 are not the intended audience of the Service.

Virginia (VCDPA). Virginia residents have the rights described in Section 17 and may appeal a denied request by replying to our denial email.

Colorado (CPA). Colorado residents may exercise rights described in Section 17. We provide an appeals process via the same email channel.

Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Florida (FDBR). Residents of these states have the rights granted by the respective laws, exercised as described in Section 18. Nevada. We do not sell "covered information" about Nevada consumers within the meaning of NRS 603A.

EU/EEA, UK, Switzerland. Our processing is described above. Lawful bases are listed in Section 7. International transfers are addressed in Section 14. You may lodge a complaint with the supervisory authority in your country of residence.

Canada. We comply with PIPEDA and applicable provincial laws (including Quebec Law 25). Quebec residents may contact our representative at the email below; consent for use is obtained when you accept this Policy.

Australia. We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) where applicable.

Brazil. We comply with the Lei Geral de Proteção de Dados (LGPD) where applicable.

Other jurisdictions. Where local laws apply, we honor equivalent rights to those described in Section 17.

The Service is not directed to, and we do not knowingly collect Personal Information from, children under thirteen (13) years of age (or sixteen (16) where that is the age of digital consent). If you believe a child has provided Personal Information to the Service, contact us at privacy@driveswap.appand we will promptly delete it. We comply with the Children's Online Privacy Protection Act (COPPA) and equivalent laws.

Some browsers transmit a "Do Not Track" signal. Because there is no consensus on how to interpret these signals, the Service does not currently respond to them. Where required by law (e.g., California), we honor the Global Privacy Control (GPC) signal as a request to opt out of sale or sharing — although we do not engage in either.

The Service may contain links to or integrations with third-party websites or services. This Policy does not apply to those properties. We are not responsible for the privacy practices of third parties. Review their privacy policies before providing them with information.

DriveSwap sends two types of email:

• Transactional (transfer completion, payment receipts, security alerts, expiry reminders for active subscriptions). These are necessary to operate the Service. You can stop them by ceasing use of the Service or revoking OAuth access.
• Commercial lifecycle (win-back emails, abandoned-scan nudges, post-transfer review requests). Each such message includes (i) clear identification as a commercial message, (ii) DriveSwap's physical mailing address, and (iii) a one-click unsubscribe link, in compliance with the CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), and equivalent laws. You may also opt out at any time by emailing privacy@driveswap.app. Opting out of commercial messages does not affect your access to the Service.

We do not send unrelated promotional offers, third-party advertising, or any messages that share, rent, or sell your contact information.

We may update this Policy from time to time. The "Last updated" date reflects the most recent revision. Material changes will be highlighted on the Service or notified by email where reasonably practicable. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy. Where required by law, we will obtain renewed consent.

For privacy inquiries, data-rights requests, complaints, or to identify the data controller responsible for your information, email privacy@driveswap.app. We will respond within the timelines set out in Section 18.

Mailing address for legal notices. DriveSwap, [P.O. Box / mailing address pending], United States.

For institutional customers, supplemental Data Processing Agreements are available upon written request.